After the disclosure of the host_id authentication issues that plagued the popular Dropbox service last week, a new issue came up with the fact that Dropbox can detect whether the files you are trying to upload to their cloud already exist there, and “save you the bandwidth” of uploading it if they already have a copy in hand.
So – the Dropbox client probably checks for the hash of the file being uploaded against a list of hashes of existing files that are already stored on the cloud. It may also be that the files stored online are encrypted. So… what’s the big deal?
One has to remember that when using a service such as Dropbox (and I’m an avid user myself), you clearly do not have full control over the material you upload, and the online encryption is only a fraction of the protection you may be seeking. There is no key management visible to the user. There is no way that each client you use has its own key, nor they share keys, and if they do, Dropbox is managing your keys. This also gives them the ability to decrypt your data at any given time. Subsequently, it also gives them the ability to provide you with the file of another user if you tried to upload it yourself (hence saving you the bandwidth) – for example, when you may want to access it from a client which does not have the synched copy of your account (or through the web interface). They just decrypt the other user’s file, and serve it back to you. After all – you have the same one back on your home/work/whatever PC (remember that you showed “proof” by providing the hash before).
Which brings us back to reality – what are we really exposed to here in terms of risk?
Dropbox has the ability to access the contents of my files.
If I can come up with a hash of a file that I know someone else has, and that file may be confidential in some way, I can potentially claim to upload the same file, and then download the real one (as I don’t really have the original) from another client or through the web interface.
Clearly, the media attention to point 1 is important – but still not really interesting as people should have had a clue when they send their files to the “cloud”.
However, point 2 makes a more interesting argument… It would be interesting to see when the first “hack” will come along which will start “uploading” files (by hacking the client protocol – hint: start here, here, and here) just based on hashes, and then downloading them as if from another client to see what you get (if they were “cached” already on the Dropbox cloud). Now that would be an interesting little experiment…
This is going to be painful, so hold on.
Instead of mumbling short tweets about things I think that suck, I decided to keep everything in and just formulate a post on it.
This post is a rant. Itâ€™s a complicated rant by an â€œoldâ€ guy (my excuse for cynicism) in the industry whoâ€™s had a chance to see a lot going. Disclaimer: Iâ€™m going to give some examples here, real life examples from my own experience in the security industry. Some are from my consulting days, some from the vendor days, some from freelance and other gig days. If you think you are someone who Iâ€™m describing here – you probably arenâ€™t. On the other hand, if you can recall some snotty smart-ass dude come into your company wearing orange bermuda pants (swear to god) sandals and (hold it) silver toenail polish (I was going through something back then), telling you how badly your security sucks and leave a single pager report on it showing gaping holes in technology and processed, well, Iâ€™m sorry…
Disclaimers aside, down to business.
What have we learned over the past decade in the security business – letâ€™s see: AV is pretty much the same as it was in 2000 (which is the same as it was in 1990, you get the point). Firewalls do pretty much the same give or take a couple of useless protocols that nobody needs. Oh, oh, I know (yeah – I can hear you from the back of the room) – WAF!. Well, WAF right back at you. Doesnâ€™t work, didnâ€™t work back in the days when it took 3 days to configure it for a small site, and still doesnâ€™t do much good other than the simple stuff (which you can get for free at ModSecurity).
We have almost no technological advantage over what we used to have 10 years ago. So, you must say, we learnt that we as security people must have gone through so much that we manage and deal with the risks and threats much better. Yes, thatâ€™s a tear at the corner of my eye. How much I wish you were right.
The same people who I used to see so excited by their newfangled CxO title and their big office 10 years ago, who didnâ€™t know what to do in order to do their jobs, are not doing any better than most companies nowadays.
Then, just like now, they are still trying to find the right â€œstuffâ€ thatâ€™s going to save their world if they just buy/lease/license it and install it in a shiny new rack. Now, just like then, we are focused on finding â€œvulnerabilitiesâ€ and categorizing them â€œhigh, medium, lowâ€ (or whatever scale that doesnâ€™t mean anything) in our networks, operating systems and applications. Then, just like now, we canâ€™t tell the difference whether a threat will render our business useless, rob us blind, or just evaporate like a baby hiccup with a faint noise of â€œFUDâ€.
I meet a lot of talented young (and old) security people, they are all bright-eyed, bushy-tailed and ready to fight until the last drop of blood over what they were trained/self-taught/researched. And I envy them. I envy the ability to just disconnect, to adapt that tunnel-vision that allows them to dig right in to the utter abyss of a technical challenge. I also meet a lot of people with broad vision of how security should be. They have forgotten the technical mumbo-jumbo the kids are talking about today. â€œSea surf? Yeah! I remember surfing when I was a kid…â€, â€œSequel? Which one? I thought the matrix series was over…â€, â€œBut let me tell you about my new world cyber-peace strategy…â€. You get the point.
And don’t even get me started on all these certifications that everyone goes after. The sad fact is, these things have kept us back from thinking differently. They boxed us into whatever the course/certification/training is trying to cram into us on a technical level, and basically leave it at that. It created a 400 pound gorilla of money sucking industry without really giving us back any more talent. Most of my friends in the industry have some kind of certification (or two, or ten), but I still call them friends not because the number of certs they have on their business card, but because I know they don’t really need these certs to be professional security people.
What Iâ€™m still struggling with is the middle. I have always been looking for the middle (even as a kid – â€œyour son is about average, but heâ€™s got great potentialâ€ was a recurring parent-meeting slogan through all my school years). The middle which have built itself over the foundations of technical research, got their hands dirty in pen-tests, trying out new products, breaking stuff left and right, losing once in a while to get their bearings right. The middle who didnâ€™t get blinded by a new management position, and kept relatively up-to-date on whatâ€™s going on. The middle who didnâ€™t skip last yearâ€™s DefCon/BlackHat/Shmoocon/[your-favorite-con] talk because he thought it was some passing fad (and didnâ€™t want to admit that itâ€™s just too darn complicated for them to get into new stuff). The middle who took up looking at how the business works. From the numbers, through the sales, operations, tech-support, client meetings, competition and the board-room decisions. We forgot that this middle is our only chance to make progress, because this middle can translate the latest threat to numbers. Numbers that not only the CIO/IT guy can understand, but the CFO, the accountant, the COO and the order fulfillment guys can understand. The real impact on the business. With numbers, with a strategy on how (if ever) to address it, with an understanding that it might not be the latest and greatest gizmo that we need here, but something much simpler. An old solution, a tweak here and there – in a product, or a business operation. A quick chat with the procurement department on how they process stuff, or a change in the way that the sales organization works in the field when they run off to customers and meet the competition.
I find myself trying to fit in the middle too many times. Iâ€™ll admit it – I didnâ€™t think of a middle back when I started getting paid for breaking things, but I saw the middle. I havenâ€™t figured out the right terminology until 6 or 7 years ago for this middle. But darn it! (imagine what I held back until now…) I like that middle, and unfortunately (or fortunately as my accountant would say) we are still bad at filling that middle. We still havenâ€™t bridged the gaps between the techies and senior management (Iâ€™m obviously generalizing, but look at your average F-100 company – youâ€™ll get it…). Between the millions of dollars we spend on the wrong things, and the vague strategies we build on top of them to fend off auditors and boardroom questions.
Letâ€™s get the good guys from both sides back to the middle. Letâ€™s get the techies some business training, dress â€˜em up nice and give them the tour. Letâ€™s send our CxOâ€™s to DefCon for a refresher on how things are done these days. Thereâ€™s no shame in learning. If I find a day in which I didnâ€™t have a chance to learn something new – technical, financial, political, strategy or disassembly, I feel wrong. Letâ€™s justify our overpriced salaries and really make something out of it. We were used to be paid to think outside the box, and all we did since we started getting paid is to paint the box in crayons.
Break the box. Down to itâ€™s nails and planks. See what makes it tick. Reassemble, open, get out, close it, and think how to make it better.
p.s. – whatâ€™s with the parenthesis you ask? well, thatâ€™s just how I like to write, and besides – it leaves room to put things in the middle 😉
You must have seen this coming – I was holding off from discussing cloud security for quite some time for a few good reasons, but now it’s time to take a look at where are we (or more correctly – are we there yet?).
First things first – the main reason for abstaining from the cloud security discussion was simply the lack of definition (andÂ existence) of clouds… True – Amazon has provided the infrastructure to the first layers of building cloud solutions, but full-on “process-as-a-service” has yet to emerge from the different offerings that call themselves cloud. There has been enough ink (bits?) spilled over what reallyÂ isÂ Â cloud computing and what it isn’t (you can check out Craig’s presentation, and Hoff’s view on things).
And now to my 2c on the subject at hand, I have been involved with a few cloud security companies in the past months and being able to lend a hand at the strategic level, I was exposed to several aspects of where are we now with cloud computing, where are the gaps that security firms will need to pitch in and provide basic protections, and a whole lot of marketing fuzz that needed to be thrown off in order to realize what’s out there.
To begin with, we had to sift through the marketing mambo-jumbo to get to the point – seems like the more expensive your marketing budget is, the farther away you get from reality in your message – too bad (and that’s coming from someone who turned a lot of technical material into marketing…). Hence the first point – blowing enough smoke to make everyone tear does not constitute for creating a cloud.
Point two – now that we to the bottom of the offering (and I’m not going to name names…), one usually realizes that it has either been out there for quite a while and has been wrapped in clouds to sell it better, or that someone has made some basic adaptations to an existing offering (see roaming users, VPN, scanning services) to cloudify it. Whatever is left that did not fit into the previous schemes is worth a second (or is it third by now) look.
Point three – what’s the market for your cloud offering? The last hurdle that all these new cloud companies face is choosing (or defining) a direction. Do you see yourself providing a solution for the end users? for businesses? for the cloud infrastructure providers? for providers of services/software/processes on the cloud? If you get an answer in the lines of “we basically provide a solution for all of them” – run! As each of the mentioned markets have different needs, and different views on their place in the cloud, you better get a solid answer for this. I strongly suggest reading the “Cloud Architecture” section written by Chris Hoff which is part of the Cloud Security Allianceâ€™s â€œGuidance for Critical Areas of Focus” starting at page 15 in order to get an idea on the latter.
Now with most of the fluff away, and the offering at hand we can actually focus on whether it makes sense (business-wise), and where does security fit in. By no means this is going to be a guide for securing the cloud, but always remember the architectural model – from hypervisor, all the way through multi-tenanting, data abstraction and sharing, inter and outer process communication, and off to simple abuses of the cloud in the form of DDoS, Botnet tools, etc…
Hope this made some sense – if not I can only suggest reading some more material on it, and to play around with the current offerings from Amazon, Azure (MS), and Ubuntu (Canonical).